>>> On Thursday, 13. December 2007 at 8:34 pm, "Ralf S. Engelschall" wrote:
> I'm this evening trying to implement for OpenPKG one of Thomas
> Lotterer's long awaited features related to security engineering: to
> *recursively* attach to an RPM package the "list of all packages which
> were installed at the built time of the package". [...]
> 
Oh yeah. I want to turn back time. This feature is amazing.

BTW, the OpenPKG world absolutely requires the "package options" to be
remembered.

I examined this feature, dumping all data using "rpm -qa --xml". A
typical software stack with ~65 packages adds a 10MB header to every
package and the DB. The XML bloat can be somewhat defeated with
compression, bzip2 shrinks it down to 10%, lzma to 5%. Still that means
500K to 1MB size increase for every package.

Another issue is the infinite ancestry tracking. Without countermeasure,
repetitive build/installs or natural updates keep the whole genealogical
tree including all ancestors. Some mechanism must be put into force to
prune ancient data. Maybe keep less details for every generation of the
same package or just cut off after n-th generation of the package.

-- 
http://thomas.lotterer.net